docs/pages/identity-governance/access-requests/oss-role-requests.mdx
Just-in-time Access Requests are a feature of Teleport Enterprise.
Teleport Community Edition users can get a preview of how Access Requests work by requesting a role using the Teleport CLI. Full Access Request functionality, including Resource Access Requests and an intuitive and searchable UI are available in Teleport Enterprise.
Teleport's role-based access control (RBAC) allows you to configure what roles users can request access to. In this example, we will define two roles:
contractor: users with this role can request elevated access to the dba roledba: this role grants access to databasesThere is no role for request approvers, because request approval rules can only
be configured for Teleport Enterprise. In Teleport Community Edition, approvals must
be performed by running tctl on the Teleport Auth Service.
Contractor role
Users with this role can request access to the dba role.
kind: role
version: v5
metadata:
name: contractor
spec:
allow:
request:
roles: ['dba']
Define this role in the file contractor-role.yaml and create it with tctl:
$ tctl create contractor-role.yaml
(!docs/pages/includes/create-role-using-web.mdx!)
Use tctl to assign this role to a user (alice in this example):
$ tctl users update --set-roles \
$(tctl get users/alice --format=json | jq -r '.[].spec.roles | join(",")'),contractor alice
DBA role
This role grants access to databases.
kind: role
version: v5
metadata:
name: dba
spec:
allow:
db_labels:
'*': '*'
options:
# Only allows the contractor to use this role for 1 hour from time of request.
max_session_ttl: 1h
Define this role in the file dba-role.yaml and create it with tctl:
$ tctl create dba-role.yaml
In Teleport Community Edition, requests are made from the tsh CLI. To create an access
request, use the tsh request create command.
$ tsh request create \
--roles=dba \
--reviewers=bob \
--reason="performing DB migration tonight"
By default, this command will block until the request is approved. To submit the
request without waiting for approval, add the --nowait flag.
Alternatively, tsh can automatically create an Access Request during the login
process. To activate this behavior, specify the --request-roles flag:
$ tsh login --user=alice --request-roles=dba
# Seeking request approval... (id: bc8ca931-fec9-4b15-9a6f-20c13c5641a9)
This will wait for the request to be approved, and then issue credentials with
the dba role automatically when the request is approved.
To log in and submit the request without waiting for approval, add the
--request-nowait flag. In this scenario, you will receive your regular roles
upon login, and can elevate your access after the request is approved.
# log in with an approved access request
$ tsh login --request-id=bc8ca931-fec9-4b15-9a6f-20c13c5641a9
You can list requests using tsh request ls.
$ tsh request ls
# Token Requestor Metadata Created At (UTC) Status
# ------------------------------------ --------- -------------- ------------------- -------
# bc8ca931-fec9-4b15-9a6f-20c13c5641a9 alice roles=dba 07 Nov 19 19:38 UTC PENDING
In Teleport Community Edition, Access Requests must be reviewed by a cluster administrator
with the ability to run tctl on the Auth Service.
Administrators can list requests with tctl requests ls, and view the details
of a particular request with tctl requests get <id>.
To approve or deny a request, use tctl request approve or tctl request deny.
For example, to deny a request:
$ tctl request deny \
--reason="today's migration has been canceled" \
bc8ca931-fec9-4b15-9a6f-20c13c5641a9
Reviewers can approve the request while also overriding the set of roles in the request:
$ tctl request approve \
--roles="db-support" \
--reason="approved access to db-support, dba is not necessary" \
bc8ca931-fec9-4b15-9a6f-20c13c5641a9